Having a publicly available CGI service is always a balance between security and usability. The more you lock down the less users can do, and vice versa.
There are several files in /etc which need to be seen by all users for many programs to function correctly, and although you might be able to see the files as a 'normal' user, only root can edit or remove them.
Unfortunately due to the balance of user freedom and security, there are many things malicious people can do to get on to the CGI platform and abuse it, I've seen many, many different attacks over the years, but have never seen a privilege escalation (that is someone gaining root access to the boxes). Although it may be cold comfort for customers, the CGI platform is completely isolated from the rest of our network, if it was to be compromised fully then people wouldn't be able to get at our more sensitive systems from it.